0x1500 control code arbitrary code execution: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
>Torchickens No edit summary |
>Torchickens No edit summary |
||
Line 1: | Line 1: | ||
{{Arbitrary code execution}} |
{{Arbitrary code execution}} |
||
{{incomplete}} |
{{incomplete|Original speedrunning method needed}} |
||
[[File:0x1500 Lapras.png|thumb|right|160px|Traded Lapras method. In this case, the arbitrary code execution is triggered after exiting the inventory with A on Cancel with Antidote x21 at the bottom of the bag, and then viewing Lapras's summary.]] |
|||
'''0x1500 control code arbitrary code execution''' is an [[arbitrary code execution]] method found in {{Crystal}}. It does not occur in {{GS}}. |
'''0x1500 control code arbitrary code execution''' is an [[arbitrary code execution]] method found in {{Crystal}}. It does not occur in {{GS}}. |
||
It was discovered by luckytyphlosion. The original method used for speedrunning purposes is not yet covered in this article. |
|||
This glitch involves the combination of the byte 0x15 ("Day" control character) followed by 0x00 in a text string, and will lead to arbitrary code execution at memory address 0xCD52. Once the code is terminated with a ret, the program counter by default will be at the location following where the 0x1500 sequence was in the RAM. |
This glitch involves the combination of the byte 0x15 ("Day" control character) followed by 0x00 in a text string, and will lead to arbitrary code execution at memory address 0xCD52. Once the code is terminated with a ret, the program counter by default will be at the location following where the 0x1500 sequence was in the RAM. |
||
Line 8: | Line 11: | ||
There are various means of setting up this glitch: |
There are various means of setting up this glitch: |
||
==Unterminated name glitch Pokémon method w/ traded Lapras== |
==Unterminated name glitch Pokémon method w/ traded Lapras and box names== |
||
For this method, an [[unterminated name glitch Pokémon]] is required. A convenient way of getting one is through a box name corruption glitch in {{RBY}}, such as through the [[ItemDex/RB:094|9F (0x5E)]] glitch item in {{RB}}. |
For this method, an [[unterminated name glitch Pokémon]] is required. A convenient way of getting one is through a box name corruption glitch in {{RBY}}, such as through the [[ItemDex/RB:094|9F (0x5E)]] glitch item in {{RB}}. |
||
Line 661: | Line 664: | ||
Interestingly, I found this ACE exploit a while ago when attempting to do regular cloning, but I dismissed it as the result of a crash. (When I was doing some testing regarding cloning, I encountered this glitch again and actually decided to look into it)." |
Interestingly, I found this ACE exploit a while ago when attempting to do regular cloning, but I dismissed it as the result of a crash. (When I was doing some testing regarding cloning, I encountered this glitch again and actually decided to look into it)." |
||
</tt> |
</tt> |
||
==Stored unterminated name Pokémon/bad clone method w/ stored PC items== |
|||
===Video=== |
|||
{{YouTube|YqD68-2aAjg|Crystal_}} |
|||
===Requirements=== |
|||
(From Crystal_'s video) |
|||
1. Items in the PC item storage ended with a ret command, with register de set to a specific value (e.g. 0134) |
|||
2. A bad clone in the current PC box |
|||
3. Max Elixer or TM21 (Frustration) in the bag |
|||
4. Quagsire in party slot 1, with Return as move 1, with a move with less than 10 characters in it, in slot 4 |
|||
5. Spearow holding TM50 (Nightmare) in party slot 2. TM49 may also work and depends on the number of items in the PC item storage. |
|||
===Steps=== |
|||
1. Save and reset the game just outside of a regular Pokémon Center |
|||
2. Press up on the d-pad only, until the player character is one tile below the Pokémon Center desk |
|||
3. Move right only, until facing the wall/edge of map |
|||
4. Move up only until facing the PC. Do not use the PC yet. |
|||
5. Press Start and open the player's bag |
|||
6. Have the cursor point to Max Elixer or TM21, then exit the bag without pressing A on the item |
|||
7. Go to deposit a Pokémon and view your Quagsire's summary. |
|||
8. Exit and scroll down to Spearow, then exit Deposit |
|||
9. Choose withdraw and have the cursor on the bad clone/unterminated name Pokémon, which will force its name and the 0x1500 sequence that follows, and cause arbitrary code execution. |
|||
[[Category:Arbitrary code execution]] |
[[Category:Arbitrary code execution]] |